Major Hotel Chain Reveals Breach Right Before Thanksgiving Travel Week

Next week is one of the busiest travel weeks of the year, and one major hotel chain has already run into some major challenges: Starwood Hotels & Resorts Worldwide Friday notified customers of a data breach affecting some of its locations.

Starwood said in a letter to customers that it had recently discovered malware on its point-of-sale systems at some restaurants, gift shops and other retail locations in its hotels. The company, which owns and operates the hotel brands St. Regis, The Luxury Collection, W, Westin, Le Méridien, Sheraton,Four Points by Sheraton, Aloft, Element and Tribute Portfolio, said it did not appear that the guest registration systems were affected.

The timing is less than ideal for the hotel chain, not only because of the upcoming Thanksgiving holiday, but also because of its announcement just last week that rival hotel chain Marriott International intends to acquire it in a $12.2 billion deal.

[Related: It Pays To Be The Boss: 10 Highest-Paid Security Vendor CEOs]

Sponsored post

The breach compromised payment card information of an unspecified amount of individuals, including cardholder name, payment card number, security code and expiration date. The letter said that it did not appear from the company’s investigation that contact information, Social Security numbers or PINs were compromised.

The company said the data breach affected 54 of its locations (the full list of which it has posted here). The length of compromise varied by location, but started as early as November 2014 and extended until as late as October 2015.

Starwood said that it has hired third-party forensics experts to investigate the breach and is offering identity protection and credit card monitoring services to those affected. The company said it will alert those customers whose cards were impacted by the breach.

This announcement marks the second data breach of a major hotel chain in recent months, with competitor Hilton Hotel saying in September that it had discovered a breach dating back to November 2014. The breach was similar in nature, affecting the point-of-sale systems in the hotel gift shops and restaurants, but not appearing to affect the company’s reservation systems.

Carl Mazzanti, CEO of eMazzanti Technologies, a Hoboken, N.J.-based solution provider that does a significant portion of its business in the retail sector, said the nature of a hotel’s technical ecosystem makes it particularly vulnerable to breaches. The sheer number of systems, from POS, to media, to reservations, to loyalty rewards, to retail and more, make it ’near impossible’ for the businesses to handle the situation on their own.

’To guess the number of vulnerabilities that are out there in the industry, I would say it would be pretty high,’ Mazzanti said.

For that reason, Mazzanti said it is more likely than not that we will see more security incidents hit hotel chains in the coming months.

’My guess is that there aren’t the typical resources inside the hotels,’ Mazzanti said. ’You should see an uptick [in the number of security incidents].’

Mazzanti said solution providers that are PCI Qualified Integrator and Reseller (PCI QIR) certified, such as eMazzanti, know what to look for in retail environments to identify and remediate security risks.